Datacentres are a great target and AZs don’t help, so we need edge

On 1 March 2026, Iran fired drones into three Amazon datacentres in the UAE and Bahrain. Banks went dark. Payments stopped. Millions of people across Dubai and Abu Dhabi could not hail a cab or check their balance. The cloud, it turns out, has a postcode. And a postcode can be bombed.

These were not random targets. Iran's Islamic Revolutionary Guard Corps framed the strikes as a response to military and intelligence activity it believed was running through those facilities. And it was not entirely wrong. The line between commercial cloud infrastructure and active defence asset had already gone well before the first drone lifted off. 

Israel had been using Azure servers in the Netherlands to store intercepted intelligence and run AI models. The Trump administration had been using AI systems to assist offensive planning. Once that is public knowledge, the datacentre becomes a legitimate target in the mind of any adversary. That is the world in which we now operate.

The strikes exposed something the industry has been slow to say plainly. These are sprawling, visible buildings whose most critical components sit outside the server hall entirely. Knock out the chillers and the whole thing goes offline. 

The security model that hyperscale operators have built over the past two decades was designed for a specific threat. Namely, a person on the ground. Guards, fencing, cameras, access controls. None of that has any bearing on a kamikaze drone at altitude.

The geography compounds the problem. Seventeen submarine cables run through the Red Sea. With the Strait of Hormuz closed and Houthi operations resuming, both of the region's main data chokepoints were in active conflict zones at the same time. 

That is not a coincidence of bad timing. It is a strategy. Disrupt the digital infrastructure and you disrupt the AI capability that modern military operations are starting to depend on. You also happen to take down the banking system, the ride-hailing apps and the payment terminals of an entire civilian population. The dual-use character of the cloud is a gift to anyone looking to cause maximum disruption at minimum cost.

The industry's response so far has been to point at availability zones. The idea is that separating facilities within a region means a single failure does not take everything down. What the UAE and Bahrain attacks showed is that when multiple zones are hit simultaneously, the model collapses. The architecture was designed to survive one site failing, not a coordinated strike across a region. When the redundancy model and the threat model encounter each other in the real world, the redundancy model loses.

There is another layer that gets less attention. Data localisation laws require organisations in many jurisdictions to keep their data within specific geographic boundaries. In practice that means disaster recovery backups often sit in the same region as the primary facility. If that region comes under attack, you cannot recover what was stored there. The legal framework designed to protect data sovereignty ends up trapping data in a conflict zone.

This is the point at which the architecture question becomes unavoidable. Concentration was always the trade-off the industry chose not to price. Thousands of servers under one roof is efficient in peacetime. It produces excellent economies of scale, competitive pricing and the kind of infrastructure metrics that look good in an investor deck. In conflict, it is a large, fixed, well-known address.

The answer is not missile defence over datacentres, though some analysts have proposed exactly that. That treats the symptom. You are still protecting a single large target, and a sufficiently determined adversary will find its way past whatever perimeter you build around it. The answer is to stop building digital infrastructure like a cathedral and start building it like a field operation. Distributed, hardened, designed to lose a node without losing the network.

Edge computing is not a new idea. The principle is straightforward – move compute closer to where data is generated and used, in smaller units, dispersed across a wider geography. What has changed is the urgency of the argument. 

The resilience case for edge infrastructure used to be made in terms of latency and data sovereignty. Both of those remain valid. But the March strikes added a third argument that is harder to ignore. Namely, that a distributed system cannot be neutralised in a single strike. There is no single building to target, no single power feed to cut.

Modular edge units run on their own power, their own cooling, their own connectivity. They do not depend on the regional grid or a single fibre corridor. They can operate in isolation if the surrounding network goes down. They can be hardened to ballistic standards where the threat environment requires it. They can be deployed in weeks rather than the eighteen months it takes to commission a conventional data hall. And critically, losing one of them does not cascade into a regional outage. The architecture absorbs the blow.

There is an irony worth noting. The military has understood this principle for a long time. No serious defence planner puts all of a theatre's command and communications capability in one building. The doctrine of dispersal, of redundancy by geography rather than by duplication within a single site, is basic field craft. The question is why civilian digital infrastructure was ever built on the opposite principle, and the answer is that peacetime economics rewarded concentration. That calculation has now changed.

The policy window won’t stay open indefinitely. US and Asian manufacturers are not standing still. Government procurement, for defence, healthcare and financial services, should specify edge-first architectures now – before the next conflict proves the point again at greater cost. 

The Middle East didn’t create this problem. It just made it impossible to look away.